[Owasp-leaders] Javascript required for OWASP page?

Justin Clarke justin.clarke at owasp.org
Wed Jan 19 15:32:38 EST 2011


I think this would be a great example of some minor leadership that OWASP could show. The only question is how funky MediaWiki is with regards to JavaScript, which I haven't looked into.  In any case, a good task to tackle at the Summit, possibly over a beer.

Justin

On 19 Jan 2011, at 17:36, Michael Coates wrote:

> Brandon Sterne, one of the primary developers of CSP at Mozilla, will be present at the OWASP Summit and available to discuss further. I've also copied him on this email.
> 
> Michael Coates
> OWASP
> 
> 
> 
> On Jan 19, 2011, at 8:33 AM, Justin Clarke wrote:
> 
>> I also like Dinis's idea of implementing CSP for owasp.org.  Not sure how big the task would be, but that would be well worth doing.
>> 
>> Justin
>> 
>> On 19 Jan 2011, at 16:24, Jim Manico wrote:
>> 
>>> I like where Chris is going with this. Perhaps we could set up a dev server for this assessment with clear rules of play and written permission for those involved?
>>> 
>>> -Jim Manico
>>> http://manico.net
>>> 
>>> On Jan 19, 2011, at 6:19 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>>> 
>>>> I'm not 100% sure this is a great idea right now. We have a lot of PR going
>>>> out around the summit, and opening ourselves up to potential attackers
>>>> world-wide at this point would probably be fine for those who are already
>>>> OWASP members as they should execute with some level of integrity, but I
>>>> think that this invites another crowd of people with much less integrity who
>>>> may not simply disclose their issues to us but also deface or otherwise hurt
>>>> our message while we are in the middle of a large PR/Marketing push for the
>>>> summit. It would be fairly embarassing and harmful to our image if someone
>>>> managed to exploit an unpatched vuln, gain root, and change our page to a
>>>> "Pwnd by so and so" page just as some Fortune 500 decided they wanted to
>>>> come to the page and donate to the summit.
>>>> 
>>>> I think that this is a good idea for the summit itself, maybe for an
>>>> all-expense trip to the next major Conference or something like that, but I
>>>> also think it should be restricted to *only* OWASP members.
>>>> 
>>>> Just my $0.154 (accounting for the dollar to euro conversion rate)
>>>> 
>>>> 
>>>> On 1/19/11 9:04 AM, "dinis cruz" <dinis.cruz at owasp.org> wrote:
>>>> 
>>>>> I think we should have a competion to see who can hack the owasp.org
>>>>> website :)
>>>>> 
>>>>> The price would be a fully paid (travel+accomodation) ticket to the
>>>>> Summit
>>>>> 
>>>>> Extra kudos points would be given for gaining root on the owasp.org
>>>>> server
>>>>> 
>>>>> Anybody on this list have the cycles to organize this?
>>>>> 
>>>>> Dinis Cruz
>>>>> 
>>>>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
>>>>> 
>>>>>> On 01/19/2011 04:50 PM, dinis cruz wrote:
>>>>>>> It shows that owasp.org is in the same 'shape' as 90% of the websites
>>>>>>> out there.
>>>>>>> 
>>>>>>> There is a O2 module that shows all the Javascript (files and inline)
>>>>>>> code that is loaded by an owasp.org page (it is quite a list)
>>>>>>> 
>>>>>>> Maybe a good working session for the summit would be to consolidate
>>>>>>> all owasp.org javascripts and add CSP to it
>>>>>>> 
>>>>>>> In fact we should have a 'hack owasp.org and mediawiki' competition
>>>>>>> at
>>>>>>> the Summit ....... :) :) :)
>>>>>> 
>>>>>> Especially to find bugs like this (as mediawiki is in PHP):
>>>>>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>>>>>> 
>>>>>> Kost
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> Chris Schmidt
>>>> ESAPI Project Manager (http://www.esapi.org)
>>>> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>>>> Blog: http://yet-another-dev.blogspot.com
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list